Bugzilla – Bug 64435
VUL-0: CVE-2005-0337: Postfix, permit_mx_backup, IPv6, chroot --> Open Relay!
Last modified: 2021-10-19 14:00:02 UTC
Our Postfix 2.1.4 runs smtpd chrooted and has "permit_mx_backup" in smtpd_recipient_restrictions. It relays mails to every destination that has a MX with AAAA-Records in DNS set (IPv6) -- like eu.org. peer@hurricane:~> dig eu.org MX eu.org. 222593 IN MX 10 ns.eu.org. peer@hurricane:~> dig ns.eu.org AAAA ns.eu.org. 224544 IN AAAA 2001:660:330f:2::da If Postfix tries to match destination IP and its own address, the file access to /proc/net/if_inet6 does fail, because this file is not available in a chrooted enviroment. This could be a mistake of the chroot-enviroment, but anyway: The check should fail in this case -- but Postfix finishes this check with a positive result: Dec 20 12:36:02 brainy postfix/smtpd[4729]: warning: inet_addr_local[procnet_ifinet6]: Couldn't open /proc/net/if_inet6 for reading: No such file or directory Dec 20 12:36:02 brainy postfix/smtpd[4729]: inet_addr_local: configured 0 IPv6 addresses Dec 20 12:36:02 brainy postfix/smtpd[4729]: has_my_addr: addr 2001:660:330f:2::da Dec 20 12:36:02 brainy postfix/smtpd[4729]: generic_checks: name=permit_mx_backup status=1 So Postfix relays mail to all *destinations* that have IPv6-records set, if smtpd runs chrooted and if /proc/net/if_inet6 isn`t readable. Wietse Venema said, he never published Postfix with support for IPv6 in general.
<!-- SBZ_reproduce --> Install 9.1, run smtpd chrooted, use permit_max_backup in smtpd_*_restrictions and try to relay mail to foo@eu.org. Postfix will act as an Open Relay where it should reject the mail with "Relay Access denied".
Well, 2.1.1 is the version on 9.1 and SLES9, but 2.1.1 also has this bug. As you already don't run 2.1.1 anymore, I would suggest to upgrade to 2.1.5, which doesn't seem to have this bug anymore. I'll do a backport of the fix meanwhile
comment #2 is wrong, 2.1.5 also does not work
That bug is also in SLES9, moving it to SLES9 because of it's importance
Created attachment 27247 [details] proc2chroot.patch patch to SuSEconfig.postfix to mount proc into the chroot jail
I will discuss that problem on the ipv6 and/or postfix list when I'm back from vacation.
Dean Strik, the author of the IPv6 Postfix-patch wrote me: You'll need to mount /proc in the chroot then as a workaround. The alternative (but not yet implemented) fix is that the file is read before entering the chroot. This has been on my todo list, but haven't done it yet. > So Postfix relays mail to all *destinations* that have IPv6-records > set, if smtpd runs chrooted and if /proc/net/if_inet6 isn`t readable. Found it. A programming error on my part. Patch attached. Please let me know if it works correctly.
Created attachment 27308 [details] Patch from Dean Strik Patch should fixes bug in Postfix, a nonworking check of IPv6-address of the server shouldn`t give a positive result for permit_mx_backup any more.
The fix is working.
Please test ftp://ftp.suse.com/pub/people/choeger/postfix-sles9-i586/postfix-2.1.1-1.8.i586.rpm
I would recomment to make a maintenance update for SLES9 Ralf?
reassigning
fixes submitted
Wietse Venema wrote me: FYI, while adopting and rewriting the IPv6 patch, this problem was eliminated by always accessing /proc before a process chroots. I inserted an own_inet_addr_list() call in mail_params_init(), so that the call is done even when mynetworks is specified in main.cf. The result is now running on my main server.
Btw: I wouldn`t be angry if "Peer Heinlein, http://www.heinlein-support.de" could be named as the discoverer of the bug if you publish a Security Announcement.
<!-- SBZ_reopen -->Reopened by lnussel@suse.de at Fri Jan 14 17:08:11 2005, took initial reporter p.heinlein@jpberlin.de to cc
I wrote a mail to Dean Strik to request delay of public disclosure so I can notify vendor-sec and give THEM a chance to fix it as well. Do you mind delaying the disclosure if Dean didn't disclose it already?
No.
Any news for this issue? A new disclosure date or something.
Any news? This fix also blocks two other fixes (49695 and 49760)
Ludwig?
I've just written another mail to Dean Strik as he wanted to notify vendor-sec
updates approved.
make it visible for externals too.
CAN-2005-0337
CVE-2005-0337: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)